DIGITALEUROPE 


15 NOVEMBER 2019 


OF) 


Proportionality 


ON" 4 


ON" 4 


ON" 4 


Demands for enterprise data (Art. 5) 


It is important that the Commission’s proposals where LEAs seek data stored on 
behalf of an enterprise, they must seek the data from the enterprise itself, unless 
doing so would jeopardise the investigation. Whilst article 5 and Recital 34 make 
it clear this includes hosting services, some further clarity would be it would be 
good, covering all enterprise cloud services (SaaS, PaaS and laaS). 


We welcome the Council draft clause protecting the confidentiality of public 
authorities’ data stored in the cloud by limiting the reach of the EPO seeking such 
data to the issuing State. 


Necessity of immunity for good faith (Recital 46) 


The Regulation and Directive require service providers to comply with EPOs and 
other legal processes or face substantial penalties. However, they do not clearly 
protect providers if their compliance violates other EU or Member State laws. 
Recital 46 of the Regulation states that providers should be immune from liability 
for their good-faith compliance with disclosure and preservation orders. 


This immunity is critical and should be included in the Regulation’s operative 
provisions. 


Time limits for responses (Art. 9) 


The proposal requires providers to transmit data to LEAs ‘at the latest within 10 
days upon receipt’ of an EPO, and ‘within 6 hours’ in emergency cases. 
Providers will need time to assess the legal validity of each order and to prepare 
their response. 


Providers should have sufficient time to meaningfully evaluate and respond 
appropriately to each disclosure order they receive. 


For emergency cases the time limit should be aspirational as opposed to 
mandatory. It will not always be possible to react in a matter of hours, even for 
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emergency cases. The most important change legislators could make to speed 
up disclosures of data in such cases is to provide protection from liability. 


It is important that only an imminent threat to life or physical harm should be 
treated as emergency. The proposed broad possibilities for authorities to depart 
from the already very tight deadlines should be deleted. 


ows" 4 Service providers intervening with orders (Art. 9) 


The proposal authorises service providers to object to an EPO where it is 
apparent that the order manifestly violates the Charter of Fundamental Rights. 
We share the view that this provision should not be focused on concerns that 
arise under the Charter but should instead give service providers the right to 
raise concerns whenever an order for user data is unlawful, overbroad or 
otherwise abusive. 


Some requests may have impact on some basic rights, such as the right to 
freedom of expression. Therefore, a fundamental rights ground for refusal should 
be maintained. We welcome the Parliament’s working document: that recognises 
the important role service providers can play in this regard. 


Empowering service providers to raise such concerns is critical. Service 
providers can identify demands that are overly broad or inappropriate for other 
reasons. The Council’s text does not give service providers any right or 
mechanism by which to raise concerns about the legality of orders they receive, 
and we strongly urge the European Parliament to reinstate this possibility. 


ON" 4 Sanctions (Art. 13) 


The Council text requires Member States to administer fines of up to 2% of a 
service provider's total worldwide annual turnover for failure to comply with an 
EPO. Such fines will ultimately encourage compliance at all costs and penalise 
providers who take their responsibilities to protect their users’ data seriously. 


In addition, sanctions at this level also exacerbate the lack of protections against 
conflicts of laws in the Council text in cases where compliance with an EPO 
would violate a third-country law. 


We urge the European Parliament to maintain the original sanctions provisions 
set out in Art. 13 of the Commission’s proposal. This would require Member 
States to provide for sanctions that are ‘effective, proportionate and dissuasive.’ 


1 See pages 3-5 of the ‘3rd Working Document (A) on the Proposal for a Regulation on European 
Production and Preservation Orders for electronic evidence in criminal matters (2018/0108 
(COD)) — Execution of EPOC(-PR)s and the role of service providers.’ 

(http://www. europarl.europa. ment/LIBE-DT-634849 EN.pdf?redirect) 
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Senior Policy Manager for Infrastructure, Privacy and Security 
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About DIGITALEUROPE 

DIGITALEUROPE represents the digital technology industry in Europe. Our members include 
some of the world’s largest IT, telecoms and consumer electronics companies and national 
associations from every part of Europe. DIGITALEUROPE wants European businesses and 
citizens to benefit fully from digital technologies and for Europe to grow, attract and sustain the 
world’s best digital technology companies. DIGITALEUROPE ensures industry participation in 
the development and implementation of EU policies. 
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Corporate Members 
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Dell, Dropbox, Epson, Ericsson, Facebook, Fujitsu, Google, Hewlett Packard Enterprise, Hitachi, HP Inc., 
HSBC, Huawei, Intel, Johnson & Johnson, JVC Kenwood Group, Konica Minolta, Kyocera, Lenovo, 
Lexmark, LG Electronics, Loewe, MasterCard, METRO, Microsoft, Mitsubishi Electric Europe, Motorola 
Solutions, MSD Europe Inc., NEC, Nokia, Nvidia Ltd., Océ, Oki, Oracle, Palo Alto Networks, Panasonic 
Europe, Philips, Pioneer, Qualcomm, Ricoh Europe PLC, Rockwell Automation, Samsung, SAP, SAS, 
Schneider Electric, Sharp Electronics, Siemens, Siemens Healthineers, Sony, Swatch Group, Tata 
Consultancy Services, Technicolor, Texas Instruments, Toshiba, TP Vision, Visa, VMware, Xerox. 


National Trade Associations 


Austria: |OO Germany: BITKOM, ZVEI Slovakia: ITAS 
Belarus: INFOPARK Greece: SEPE Slovenia: GZS 
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Bulgaria: BAIT 
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Estonia: ITL 
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Italy: Anitec-Assinform 
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FIAR 

Norway: Abelia 

Poland: KIGEIT, PIIT, ZIPSEE 
Portugal: AGEFE 

Romania: ANIS, APDETIC 
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ECID 
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